Perfect Forward Secrecy (PFS) is a data encoding property that ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session.
Setup Dovecot
Dovecot (at least from 2.1.x) already used PFS, but the corresponding entries are not in the log files. Therefore, only %k has to be added in login_log_format_elements. The entry is defined either in /etc/dovecot/dovecot.conf or /etc/dovecot/conf.d/10-logging.conf:
login_log_format_elements = "user= method=%m rip=%r lip=%l mpid=%e %c %k"
Older mail clients do not always use DHE. The compatibility can be accomplished with a custom ssl_cipher_list. I’m using at the moment
ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
Setup Postfix
Postfix requires two DHE-key which must be entered in the main.cf.
Create the keys:
openssl gendh -out /etc/postfix/dh_512.pem -2 512
openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
Adjust Postfix:
postconf -e "smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem"
postconf -e "smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem"
postconf -e "smtpd_tls_eecdh_grade = strong"
postconf -e "tls_preempt_cipherlist = yes"
postconf -e "smtpd_tls_loglevel = 1"
postconf -e "smtp_tls_loglevel = 1"
By tls_loglevels the used ciphers are written to the log.
Postfix must import the changed configuration.
postfix reload
The logs of Dovecot and Postfix can then be searched using grep for DHE or ECDHE.
zegrep ".*with cipher" /var/log/dovecot.log | awk '{printf("%s %s %s %s\n", $14, $15, $16, $17)}' | sort | uniq -c | sort -nzegrep "TLS connection established from.*with cipher" /var/log/mail.log | awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n
With openssl PSF can also be tested:
openssl s_client -starttls smtp -connect example.com:25
openssl s_client -starttls smtp -connect example.com:143
Check in the SSL Session Protocol and Cipher:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384